13 Replies Latest reply on Apr 19, 2018 10:26 AM by Michelle Miles

    GDPR - option to not capture / keep email address etc?

    Jenn Pellerin

      Hello -

       

      This could be answered elsewhere, but I cannot find it.

       

      I'm trying to make GDPR global in our instance to avoid any headache in the future. I am making the "I consent to receive future communications ..." etc on every form. However, I keep getting hung up on the capturing / retaining data on forms.

       

      If someone fills out a form to be emailed one of our white papers, do I also have to put in an option to not keep / retain their information? Email, name etc?

       

      I read the statement below here: GDPR Compliance and WordPress Forms: Everything You Need to Know - Ninja Forms

       

      "To Store or Not to Store?

      Drop dead easy way to comply: if you don’t need a record of the data collected via your forms, then simply don’t store the data. This eliminates any question of GDPR compliance. Just zip on over to the Emails & Actions tab of the form and toggle off (grey) the Store Submission action and make sure that if you’re using an email action that the email doesn’t include form fields with personally identifiable data."

      Can someone point me in the direction of more information on this? Is this also legally required? And how would we be able to email content if they do not want us to have their information?

        • Re: GDPR - option to not capture / keep email address etc?
          Sanford Whiteman

          Drop dead easy way to comply: if you don’t need a record of the data collected via your forms, then simply don’t store the data. This eliminates any question of GDPR compliance

          Ha, anyone who thinks there's a "drop dead easy" interpretation of GDPR hasn't been paying attention.

           

          Anyway, within Marketo there is no way to both capture information from forms and not store information from forms. For as long as the lead exists, their historical Activity Log exists. So at present you need to delete the lead -- there is no anonymization technique that will allow you to act on a Filled Out Form activity and then scramble/empty it.

          1 of 1 people found this helpful
          • Re: GDPR - option to not capture / keep email address etc?
            Michelle Miles

            Jenn, I also put in some notes and link to a consent example in my blog here: Marketing Strategies to Thrive in a GDPR World

              • Re: GDPR - option to not capture / keep email address etc?
                Jenn Pellerin

                Thanks Michelle! So what I've done for the moment is three separate fields:

                 

                1. Consent for processing (hidden field)

                2. Consent time and date token

                3. Consent notes (action they took - ex downloading white paper ABC)

                 

                On the bottom of forms, I have put "*Required: Content will be emailed to you. The information you provide will be used in accordance with the terms of our privacy policy." (Privacy policy is linked.)

                 

                After they fill out the form, the consent for processing is now "Yes". Field 2 and 3 also fill in.

                 

                They will not be added to any mailing lists - hoping this is the good way to go.

                  • Re: GDPR - option to not capture / keep email address etc?
                    Michelle Miles

                    Hi Jenn -

                    I track data consent and email consent separately using the following fields:

                     

                    - Email Optin, Email DateTimestamp, Email Optin Source, Email Optin IP Address

                    - GDPR Processing Rights, GDPR Processing Rights DateTimestamp, GDPR Processing Rights Source, GDPR Processing Rights Notes

                     

                    A couple things to call out with that - I call it data rights, not consent. Because you could have rights through consent or legitimate interest.

                     

                    Also, the source could be the same as the email opt-in source. I like keeping the source separate from notes, because then I can include normalized phrases that I can filter off of in smart lists to encompass different scenarios, ie "Retain for 30 days only", or "Limited Processing Rights: No Scoring or Enrichment"

                     

                     

                    For a whitepaper example, I think you could simply have the opt in language on the form ie:

                    <unchecked, non-required checkbox> I would like to receive more <type of communication/information> from <company name>. I understand and agree to the privacy policy. <link privacy policy>

                     

                    Then you have full optin and data consent if you have a robust privacy policy. This info can then populate all fields. If the opt in is ignored, your data rights fields only would be populated, something like this:

                    - GDPR Processing Rights = Yes

                    - GDPR Processing Rights DateTimestamp

                    - GDPR Processing Rights Source = Legitimate Interest from Whitepaper Form Download

                    - GDPR Processing Rights Notes = No processing unless consent obtained, Retain for 30 days only

                     

                    Then in the email with the whitepaper you can again invite the user to subscribe by directing them to a optin/subscription page and form. If not response, delete after 30 days. In the mean time, marketing suspend, and populate a marketing suspend reason with something to the effect of 'no email consent'.

                     

                    Does this help?

                     

                    I will be speaking in detail on this at Summit if you're interested.

                    1 of 1 people found this helpful